....... Original Message .......
On Wed, 11 May 2005 00:47:49 +0200 Julian Mehnle <bulk(_at_)mehnle(_dot_)net>
wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Scott Kitterman wrote:
I think that we are currently trying to fit three types of error into
two error descriptions. They are:
1. TempError - Something's wrong, but try again it could/should get
better.
2. MistakeError - Something's wrong, it won't get better, but there's
nothing particularly scary about it.
3. DangerError - Somethings wrong, it won't get better, and the error
has potential security implications.
Can a mail setup that employs SPF be significantly worse, security-wise,
than a mail setup that doesn't? What kinds of security implications do
you mean? Those that put the entire system (or significant parts thereof)
at risk, or those that just cancel or reduce the effectivity of SPF?
I mean the macro example that Wayne gave where a forger could cause an
error and get unknown instead of Fail in the classic spec.
Besides, I'm not sure it is wise to introduce a _new_ result code into the
SPFv1 specification now. As for SPFv2/3, that's a different matter.
Then lets go back to unknown. The error processing in the current draft is
already radically different then what was in the pre-MARID drafts.
I'm trying to find a reasonable way to solve the security concern that
Wayne is rightly concerned about without scaring potential new adoptors
away.
Scott Kitterman